Ponmocup Botnet Infected 15 Million Users since Past Nine Years

Softpedia.com reported on 3rd December, 2015, stating that a mammoth botnet known as Ponmocup, was hiding in shadows during the last nine years. As per the estimates of Fox-IT's security researchers, the botnet has approximately 500,000 active bots and has infected approximately 15 million machines since 2006.

The botnet, in the past also recognized as Virtumonde or Vundo, was first got detected in 2006. In July 2011, it has reached its peak because it infected around 2.4 million systems during that period.

While security vendors managed to sinkhole many of its bots, the botnet has guaranteed its place in history as being one of the most lucrative, long-lasting and efficient botnets ever existed.

Till now, the team has found around 25 unique plug-ins and a massive 4000 variants indicating constant development.

The Ponmocup malware framework contains various components that are used to install, deliver, control and execute the malware. All the components are designed to stop the researchers from reverse engineering it and analyzing its functionalities.

The threat uses encryption and stores its components in various locations, so as to avoid detection by conventional security products. For installation, it also depends on various domains, which stops security teams from using the domains as Indicators of Compromise (IoC). Besides, Ponmocup can also steal credentials of Facebook and FTP, which might be used by the attackers for spreading the malware more and increasing the botnet size.

Massive time and efforts has been put by the cybercriminals to set up the infrastructure used to control the Ponmocup botnet. Various servers are used for each of the components and communications between the malware and the backend servers go through many proxy layers, which make it difficult to disrupt the whole botnet.

Interestingly, security researchers claimed that Russian-speaking operators run the botnet, based on the fact that most of the tutorials, instructions, and affiliated programs surrounding Ponmocup are all written in Russian.

Moreover, it looks like that the operators of Ponmocup have kept the botnet out of the post-Soviet states territories, a tactic which other cyber-criminal groups also employ, mainly not to annoy cyber-crime fighting units of Russia.

» SPAMfighter News - 12/14/2015